Comment by chedabob
5 days ago
Does the Yandex HTTPS one mean they're shipping the private key for their cert in the app, therefore anything running on localhost (or on a network with poisoned DNS) can spoof the yandexmetrica site?
There is a cert for it in the logs: https://crt.sh/?q=yandexmetrica.com
Yup definitely. Edit: the diagram makes it perfectly clear https://yandexmetrica.com:30103/p?...
It even looks like some of the certs were issued by Yandex to Yandex. I guess their cert division will end up writing an incident report for this.
Yes, but presumably they aren't hosting anything on yandexmetrica.com, so any attackeright as wel register yandexmetrica.net and get an ssl cert for that.
These sites both have the same potential for abuse.